Seccomp_filters showed `1` in `/proc/$ESCALATED_PROC/status`

[RocketMaDev]

Please check before submitting an issue

• I have searched the issues and haven't found anything relevant
• I will upload bugreport file in KernelSU Manager - Settings - Report log
• I know how to reproduce the issue which may not be specific to my device

Describe the bug

KernelSU will turn off seccomp filters when escalating privilege,

static void disable_seccomp()
{
	assert_spin_locked(&current->sighand->siglock);
	// disable seccomp
#if defined(CONFIG_GENERIC_ENTRY) &&                                           \
	LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
	current_thread_info()->syscall_work &= ~SYSCALL_WORK_SECCOMP;
#else
	current_thread_info()->flags &= ~(TIF_SECCOMP | _TIF_SECCOMP);
#endif

#ifdef CONFIG_SECCOMP
	current->seccomp.mode = 0;
	current->seccomp.filter = NULL;
#else
#endif
}

However, it seems that it doesn't release seccomp filters correctly, and might lead to memory leak.

To Reproduce

1. run cat /proc/self/status and refer to seccomp section (NoNewPrivs:0, Seccomp:2, Seccomp_filters:1)
2. run sudo cat /proc/self/status and refer to seccomp section (NoNewPrivs:0, Seccomp:0, Seccomp_filters:1)

Expected behavior

Clear seccomp filter bpf reference when disabling it, that is, display NoNewPrivs: 0, Seccomp: 0, Seccomp_filters: 0 in /proc/$PROC/status

Screenshots

No response

Logs

No response

Device info

• Device: Mi 13
• OS Version: MIUI 14.0.31
• KernelSU Version: v1.0.5
• Kernel Version: 5.15.167

Additional context

No response

[aviraxp]

plz testv\ #2708

[RocketMaDev]

plz testv\ #2708

Should we call something like seccomp_filter_release to give back filter resources? I'm not a bpf expert so I don't know when to release these filters.

ref: https://elixir.bootlin.com/linux/v6.16/source/kernel/seccomp.c#L524

[aviraxp]

Uninstall seccomp filter is not supported usecase in Linux. I don't think we can do it correctly. Just leave it as is is better.

[RocketMaDev]

Then leave it open for a while and see how other collaborators think.

[rsuntk]

plz testv\ #2708

Should we call something like seccomp_filter_release to give back filter resources? I'm not a bpf expert so I don't know when to release these filters.

ref: https://elixir.bootlin.com/linux/v6.16/source/kernel/seccomp.c#L524

I think #2708 is a right approach. Commit reference:
torvalds/linux@c818c03

[rsuntk]

Should we call something like seccomp_filter_release to give back filter resources? I'm not a bpf expert so I don't know when to release these filters.

ref: https://elixir.bootlin.com/linux/v6.16/source/kernel/seccomp.c#L524

btw, i tried your advice by using put_seccomp_filter (since my kernel is below 5.9), and the tests were fine, (ref: https://github.com/rsuntk/KernelSU/compare/8fb3ec749ab9fa0df90e66735eeadf8b8b45c384..49affc7d213235af69a954dc899053ae1da853e1)

[RocketMaDev]

@rsuntk I notice that since 6.10, seccomp_filter_release require task in a exiting status, so should there be some work around?

torvalds/linux@bfafe5e

[rsuntk]

@rsuntk I notice that since 6.10, seccomp_filter_release require task in a exiting status, so should there be some work around?

torvalds/linux@bfafe5e

Maybe its possible to create a function to mimic seccomp_release thing, but for now, let just leave it since KernelSU doesn't have 6.10+ build support yet.